Glenn Schmottlach
|
Enabling Firewall to pass DHCP traffic - How?
|
Glenn Schmottlach
11/08/2010 7:09 PM
post73982
|
Enabling Firewall to pass DHCP traffic - How?
I am *trying* to come up with firewall rules to allow DHCP to work reliably from my firewalled target system.
The simplest firewall (when enabled wth 'pfctl -e') works perfectly with dhcp.client:
## Scrub
scrub in all
## Filter Rules
pass in log all keep state
pass out log all keep state
Monitoring /dev/pflog0 I see the following when I make a dhcp.client request:
> dhcp.client -um
rule 1/0(match): pass out on en0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
rule 0/0(match): pass in on en0: 10.30.174.2.67 > 10.30.175.133.68: BOOTP/DHCP, Reply, length 363
rule 0/0(match): pass in on en0: 10.30.174.3.67 > 10.30.175.133.68: BOOTP/DHCP, Reply, length 363
rule 0/0(match): pass in on en0: 10.30.175.4.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
Next I tried a more complex firewall rule:
## Macros
local_if="lo0"
syn_only="S/FSRA"
icmp_types=echoreq
## Tables
## Options
## Scrub
scrub in all
## Filter Rules
block all
anchor "eth/*"
# Allow the local interface to talk unrestricted
pass in quick on $local_if all
pass out quick on $local_if all
To this configuration I added rules to the "eth" anchor using pfctl:
> cat en0_rules ./en0_rules | pfctl -a eth/en0 -f -
Where the en0_rules file contains the following directives:
enet_if=en0
syn_only="S/FSRA"
icmp_types=echoreq
eth_tcp_services="{ 22, 23, 42, 53, 67, 68, 80, 113, 851, 2011, 2021, 6010, 6020, 6667, 7667, 8000, 9402 }"
eth_udp_services="{ 22, 23, 42, 53, 67, 68, 851 }"
# Default TCP policy
block return-rst in log on $enet_if proto TCP all
pass in log quick on $enet_if inet proto tcp from any to ($enet_if) port $eth_tcp_services flags $syn_only keep state
pass in log quick on $enet_if inet proto udp from any to ($enet_if) port $eth_udp_services
# Default ICMP policy
block in log on $enet_if proto icmp all
pass in log quick on $enet_if inet proto icmp all icmp-type $icmp_types keep state
# Allow all outbound traffic
block out log on $enet_if all
pass out log quick on $enet_if all keep state
Notice that both TCP/UDP ports 67,68 are opened. As I understand it, I should only need to allow UDP data out to the
server on port 67 and the server should reply back to the client (my target) on UDP port 68. When I tcpdump /dev/pflog0
I see the request go out the interface (en0) but nothing passes back through the firewall (or is logged as being
blocked). Will the returning UDP packet on port 68 show up in the pflog0 trace? I don't know all the details of the DHCP
handshake, but it would seem the reply back from the server might not contain a destination IP address (since one
hasn't been assigned to my target yet) and is routed via the MAC address to my target. Could this be the source of my
problems and is there any way to configure a rule to allow the response back from the DHCP server through?
So it boils down to a simple question: can anyone suggest a filter rule that will explicitly allow DHCP traffic (only)
through an otherwise blocked firewall.
Thanks . . .
|
|
|